The time of year when crystal balls get a viewing and many pundits put out their annual predictions for the coming year. Rather than thinking up my own, I figured I’d regurgitate what many others are expecting to happen.

10 IoT Predictions for 2017 – IoT was my number 1 in The Top 10, Top 10 Predictions for 2016 and no doubt, IoT will continue to cause havoc. People focus so much on the ‘things’ themselves rather than the risk of an internet connection. This list discusses how IoT will grow up in 2017, how having a service component will be key, the complete mess of standards and simply, ‘just because you can connect something to the Internet doesn’t mean that you should.’

10 Cloud Computing Trends to Watch in 2017 - Talkin' Cloud posts Forrester’s list of cloud computing predictions for 2017 including how hyperconverged infrastructures will help private clouds get real, ways to make cloud migration easier, the importance (or not) of megaclouds, that hybrid cloud networking will remain the weakest link in the hybrid cloud and that, finally, cloud service providers will design security into their offerings. What a novel idea.

2017 Breach Predictions: The big one is inevitable – While not a list, per se, NetworkWorld talks about how we’ll see more intricate, complex and undetected data integrity attacks and for two main reasons: financial gain and/or political manipulation. Political manipulation? No, that’ll never happen. NW talks about how cyber attacks will get worse due to IoT and gives some ideas on how to protect your data in 2017.

Torrid Networks’ Top 10 Cyber Security Predictions For 2017 – Dhruv Soi looks at the overall cyber security industry and shares that many security product companies will add machine learning twist to their products and at the same time, there will be next-gen malware with an ability to bypass machine learning algorithms. He also talks about the fast adoption of Blockchain, the shift towards mobile exploitation and the increase of cyber insurance in 2017.

Fortinet 2017 Cybersecurity Predictions: Accountability Takes the Stage - Derek Manky goes in depth with this detailed article covering things like how IoT manufacturers will be held accountable for security breaches, how attackers will begin to turn up the heat in smart cities and if technology can close the gap on the critical cyber skills shortage. Each of his 6 predictions include a detailed description along with risks and potential solutions.

2017 security predictions – CIO always has a year-end prediction list and this year doesn’t disappoint. Rather than reviewing the obvious, they focus on things like Dwell time, or the interval between a successful attack and its discovery by the victim. In some cases, dwell times can reach as high as two years! They also detail how passwords will eventually grow up, how the security blame game will heat up and how mobile payments, too, will become a liability. Little different take and a good read.

Predictions for DevOps in 2017 – I’d be remiss if I didn’t include some prognosis about DevOps - one of the most misunderstood terms and functions of late. For DevOps, they will start to include security as part of development instead of an afterthought, we’ll see an increase in the popularity of containerization solutions and DZone sees DevOps principals moving to mainstream enterprise rather than one-off projects.

10 top holiday phishing scams – While many of the lists are forward-looking into the New Year, this one dives into the risks of the year end. Holiday shopping. A good list of holiday threats to watch out for including fake purchase invoices, scam email deals, fake surveys and shipping status malware messages begging you to click the link. Some advice: Don’t!

Bonus Prediction!

Top 10 Most Popular Robots to Buy in 2017 – All kinds of robots are now entering our homes and appearing in society. From vacuums to automated cars to drones to digital assistants, robots are interacting with us more than ever. While many are for home use, some also help with the disabled or help those suffering from various ailments like autism, a stroke or even a missing limb. They go by many monikers like Asimo, Spot, Moley, Pepper, Jibo and Milo to name a few.

Are you ready for 2017?

If you want to see if any of the previous year’s prognoses came true, here ya go:

Last week we talked about WebSafe and how it can help protect against phishing attacks with a little piece of code. This is important since malware can steal credentials from every visited web application from an infected machine. This time we’re going to look at how to protect against credential grabbing on a BIG-IP APM login page with WebSafe encryption layer.

You’ll needtwo modules for this, BIG-IP APM andof course, WebSafe FraudProtection Service. The goal is to protect the laptop from any malware thatgrabs sensitive login credentials. In this case, the malware would beconfigured to grab the login page along with the username and passwordparameter fields. Command and control could also be set to retrieve anycredentials from the infected machine at certain intervals, like every 5minutes.

The first goal would be to encrypt the password. Within your BIG-IP admin GUI, you would navigate to Security>Fraud Protection Service> Anti-Fraud Profiles>URL List. APM’s logon page usually ends with ‘/my.policy’.

Create then click that URL to open the configuration page and enable Application Layer Encryption.

And select the Parameters tab to configure the fields you want to protect. In this case it is password and username.

In the screen grab, you can see ‘Obfuscate’ is selected and to both ‘Encrypt’ and‘Substitute Value’ for the password field.

Now when the user goes to the page, a bit a JavaScript is injected in the page to protect the specified fields. If you run a httpwatch or wire shark on the page, you’ll see that the values for those parameters are obfuscated. This makes it incredibly difficult for the bad actor to determine the correct value.

And if the malware also grabs the password, since we set that to encrypt, all they get is useless information.

At this point, the BIG-IP will decrypt the password and pass on the traffic to appropriate domain controller for verification. This is a great way to protect your login credentials with BIG-IP. If you’d like to see a demonstration of this, check out F5’s Security Specialist Matthieu Dierick’s demo video. Pretty cool.

Excuse for speeding 10 years from now: ‘Officer, it was the software.’

When I was in college, I would drive the 1040 miles from Marquette Univ. in
Milwaukee to my parent’s house in Rhode Island for things like summer vacation
and semester break. It seemed to take forever, especially through
Pennsylvania where the state speed limit at the time was 55mph. I always
tried to complete it straight through yet would inevitably start the head drop
and would fall asleep at some rest stop in Connecticut, about 3 hours from my
goal. This is back when they still had toll booths
on the Connecticut turnpike.

As an adult, my family has driven the 2000 miles from California to Minnesota
to visit family. In both instances, I wished I could simply doze off, take a
little nap, stay on the road and awake a couple hundred miles closer to the
destination. Yes, we alternated drivers but that also meant I wasn’t
driving. For some reason, I had a much easier time falling asleep while holding
the steering wheel than in shotgun position.

Soon, you just might be able to notch that seat in recline or even stretch
out in the back – do I hear third row - while your car continues on its merry
way. Deutsche Telekom and Nokia conducted the first demonstration of car-to-car
communication over a high speed cellular connection with close to 5G
performance. And they did it on the recently inaugurated Digital A9 Motorway
Test bed - Germany’s Autobahn. The cars connected over a regular LTE service
optimized for rapidly moving vehicles. They used a cellular network since it is
already in place and didn’t need to negotiate a digital handshake to connect.

Nokia says that its technology cut the transmission lag time to under 20
milliseconds, versus today’s limit of 100+ milliseconds, give or take. And it is
counting the relay time from one car to another, via a central cloud. This was
simply a test to see how self-driving cars could communicate while travelling at
high speeds. These connected cars will have a lot of data chatter but outside
our earshot.

There is also growing attention to automobile vulnerabilities as more of
these driverless cars start to appear on our roads. Recorded Future has a great
graphic showing some of the attacks and exploits against automakers, vehicles
and components since 2010.

Just like our applications, there is a growing list of the types of connected
vehicle focused hackers. From researchers to criminals to insiders to
competitors and even nation states are all trying to target these vehicles for
their own purposes. And they all have their own motives as you can imagine.
TechCrunch has an excellent article Connected
Car Security: Separating Fear From Fact which digs into the short history of
car vulnerability research along with the various players and what they are
digging for.

Meanwhile, Ford Motors announced that they will begin testing
self-driving cars at a Michigan facility called Mcity. A fake town with
stores, crosswalks, street lights and other scale structures to test the
software and sensors controlling the car. They’ve also announced that whatever
driver data is generated (which can be up to 25GB and hour) is the customer’s
data. Ford
says they will only share it with the customer’s informed consent and
permission.

And lastly, a Google
self-driving car was lit-up by a CHiP in Mountain View for going too slow –
24mph in a 35 zone. Too bad no one was at the wheel to sign for the ticket. The
officer quickly realized that he pulled over an autonomous car and asked the
human passenger about the speed settings while reminding him of the CA Vehicle
Code. This model tops out at 25mph for safety reasons and no ticket was issued.

Jonathan George, Sr. Product Marketing Manager, talks about the various
threats that can occur on a carrier network. Mobile devices are becoming a hot
target for malicious attacks and users may not be aware that they have
potentially become part of a botnet. And it is not just mobile devices, as IoT
grows, your refrigerator could potentially participate in a DDoS attack.
Jonathan focuses on some of the DNS
solutions available that can help mitigate DNS DDoS attacks and malicious
communications on a service provider network.

A recent joint
study from IDC and the National University of Singapore (NUS) predicts that
companies around the globe will spend around $491 billion in 2014 for fixes and
recovery from data breaches and malware. The sponsor, Microsoft, also noted that
pirated software tweaked with intent is a common method of getting inside.
Consumers will likely spend $25 billion as a result of those security threats.
$491 billion is a lot of change and in the spirit of Mobile
Threats Rise 261% in Perspective, I wanted to know what else costs $491
billion.

Apparently, quite a few things!

U.S.
motorists may spend a record $491 billion for gasoline this year. Expensive
oil and increased exports have kept our fuel prices high this year. We are still
under the 2008 average gas price record but we will still spend more due to gas
going up sooner in the year and staying high longer. I know I've seen $4.11 here
in California where the average is $3.94. While the winter blend production does
bring some relief, don't expect major drops due to higher global demand along
with the various feuds in the world.

Back in 2005, the US House of Representatives passed a $491 billion defense
bill. This was when we were still in Iraq and the only reason I find this
interesting is that the cyber-war can now cost as much as real wars. Not really
apple to apples admittedly, but I often talk about how our digital worlds are
colliding integrating with our physical lives. Either way, the
costs can be very real.

Now at the 3 year mark of the Fukushima meltdown, property damage so far has
been assessed
at approximately US$200 billion but some estimates show that the total
burden will be $491 billion. While one could never put a price on the 19,000
people lost from the earthquake and tsunami, it is kinda spooky that breaches
and malware are on par with nuclear disasters.

According to the Global Business Travel Association (GBTA)
Foundation business travel was responsible for about 3%
of U.S. GDP in 2012 or $491 billion. Essentially, every dollar of business
travel spending generated about $1.28 in GDP. Of the $491 billion total, $208
billion accrued directly to businesses that served travelers or meeting
attendees.

In 2011 the European chemical industry contributed to 20.9% of the world’s
chemical sales valued at €2353 billion, generating € 491 billion of revenues and
employing 1.16 million people.

The malware market is on par with the likes of defense budgets, nuclear
disasters, overall energy consumption and an entire country's import bill. It is
often hard to quantify such large dollar amounts but when compared to the other
$491 billion items, you can get a real sense of the magnitude.

I've been travelling the last few weeks shooting some videos for VMware
PEX and RSA. When
that happens, my browser tabs get crowded with the various stories I'm
interested in but will read later. This time they all seemed to hover around
Identity Theft. When I got home, in my awaiting physical mail was a letter from
Target. I also returned something to a national hardware store and the cashier
tried to crumple my credit-card-info-having receipt into a trash can.
Kismet.

Let's take a look...

The FTC recently announced that Identity
Theft is the #1 complaint in 2013, for the 14th consecutive year. Is that a
record? While down slightly from 2012, it still accounted for 14% of the 2
million overall complaints. This is down from 18% in 2012. Florida, followed by
Georgia and California were the worst hit states for ID theft. The IRS has also
named Identity Theft as their #1 Dirty Dozen Tax scam for 2014.

Speaking
of California, 7.5 million of the over 110 million breached Target accounts
were Californians. California is one of the few states that require disclosure
when more than 500 accounts are compromised. The first year California required
reports, 2012, there were 131 breaches reported...in 2013 that rose to 170. The
other interesting thing about California breaches is that many target smaller
companies. In 2012, half of the reported breaches came from companies with fewer
than 2500 employees and almost a third were businesses with less than 250
employees. Being small and relatively unknown is no shield.

Also in Southern California, the Feds busted a couple guys running a Tijuana-based
identity theft ring. These dudes broke into a U.S. based mortgage broker's
servers and siphoned off mortgage applications which included most of the
borrower's personal info: name, birthday, SSN, DL number, tax info, the works.
They then used that info to open credit lines and, with the info they had, were
able to change access to the people's brokerage accounts. From there,
transferring money to other accounts was a snap. From Dec 2012 thru June 2013
they stole personal data on 4200 individuals.

Javelin Strategy and Research released their annual 2014
Identity Fraud Study stating that in 2013, a new instance of identity fraud
occurred every 2 seconds. 1 Mississippi, 2 Mississippi. Another. There was 13.1
million identity fraud victims on 2013. While the people number is going up, the
actual money stolen, according to Javelin, in going down. They estimated that
the total cost of identity fraud in 2013 to be around $18 billion, more than $3
billion less than 2012. 2004 holds the record at $48 billion. Attackers are now
focusing on opening new accounts rather than piggy backing existing credit
cards. Account take-over's, particularly for utilities and mobile phones are the
new free-bees. Most of the stolen info appears to be from corporate breaches and
about 1/3 of those who receive a breach letter actually becomes a theft victim.
Your debit card also seems more valuable than your social security number. 46%
of consumers with breached debit cards became victims verses only 16% of
breached SSNs.

And in an interesting twist, the top
complaint against debt collectors is mistaken identity. Trying to collect a
debt from the wrong person was by far, the most common complaint to the Consumer Financial Protection Bureau
(CFPB). I know this all too well since over the last 3+ years, we've been
getting debt collection calls looking for a certain person. We tell them that
we've had our phone number for years and stop calling. Few months go by, the
debt gets sold to another collector and we get calls again. It got so bad that
this person's own mother called to tell her son that the dad was in the hospital
and probably wouldn't make it. About 2 weeks later we got a call from another
family member looking to talk about the father's death. This guy was running
from debt so much so, that his own mother couldn't get a hold of him when dad
was on his death bed. Now that's bad.

So where do we go from here? Will we all need that personal chip installed on
our left earlobe to verify identity? The payment terminal says, 'Please
listen for verification.' Riff-raff will then be all like, 'Oh, listen
to this cool song,' as they plug the bud into your ear only to suck the
data off your PID chip. You didn't hear? That's our IPv6 Personal Identity Chip
inserted into every newborn starting in 2025.

The F5 Web Fraud Protection solution helps financial institutions protect their customers from the rise of phishing attacks, malware, and automated transactions; the techniques used by fraudsters to steal information, money, and peace-of mind.

You might not know but last week was the 10
year birthday of Cabir, the first
mobile malware. It spread through Bluetooth after infecting the Nokia Series 60
phones running Symbian. Also last week, Kindsight Security Labs (Alcatel-Lucent)
released the results
of a study (pdf) that found more than 11.6 million mobile devices are
infected by mobile malware at any given time and that mobile infections
increased 20% globally in 2013.

This, obviously, increases risk for stolen personal and financial
information, can lead to bill shock resulting from hijacked data usage, or
extortion to regain control of the device along with allowing bad guys to
remotely track location, download contact lists, intercept/send messages, record
conversations and best of all, take pictures.

About 60% of all mobile infections involved Android devices that downloaded
malicious software from the Google Play store and 40% were Android phones that
received malicious code while tethered to a Windows laptop. Both Blackberry and
iPhone combined to represent less than 1% of all infected devices. 4G LTE
devices are the most likely to be infected and the number of mobile malware
samples grew 20X in 2013. This will only get worse as new strains are released,
like the proof of
concept code that is capable of tracking your taps and swipes as you use a
smartphone. That's right, monitor touch events. Say a phone has not been
touched in a while and suddenly there is 4 touch events. Well, that's probably a
PIN, according to Forbes
contributor Tamlin Magee. Add to that a screenshot, now you can overlay the
touches with the screenshot and know exactly what is being entered.

You know it and I know it: The more we become one with our mobile devices,
the more they become targets. It holds our most precious secrets which can be
very valuable to some. We need to use care when operating such a device since,
in many ways, our lives depend on it. And it is usually around this point in the
article that I chastise mobile users for careless behavior but in this instance,
there are certainly times where there is nothing you can do. You can be
paranoid, careful and only visit the branded app stores yet the risk is still
present.

Our homes are being invaded...but not with critters that you'd call an
exterminator for. Last summer I wrote Hackable
Homes about the potential risks of smart homes, smart cars and
vulnerabilities of just about any-'thing' connected to the internet. (I know,
everyone loves a bragger) Many of the many2014
predictions included the internet of things as a breakthrough technology?
(trend?) for the coming year. Just a couple weeks ago, famed security expert Bruce Schneier wrote about how the IoT
(yes, it already has it's own 3 letter acronym) is wildly insecure and often
unpatchable in this
Wired article. And Google just bought Nest Labs, a home automation company
that builds sensor-driven, WiFi enabled thermostats and smoke detectors.

So when will the first refrigerator botnet launch? It already has.

Last week, Internet security firm Proofpoint said the bad guys have already
hijacked
up to 100,000 devices in the Internet of Things and used them to launch
malware attacks. The first cyber attack using the Internet of Things,
particularly home appliance botnets. This attack included everything from
routers to smart televisions to at least one refrigerator. Yes, The Icebox! As
criminals have now uncovered, the IoT might be a whole lot easier to infiltrate
than typical PCs, laptops or tablets.

During the attack, there were a series of malicious emails sent in 100,000
lots about 3 times a day from December 23 through January 6. they found that
over 25% of the volume was sent by things that were not conventional laptops,
desktops or mobile devices. Instead, the emails were sent by everyday consumer
gadgets such as compromised home-networking routers, connected multi-media
centers, televisions and that one refrigerator. These devices were openly
available primarily due to the fact that they still had default passwords in
place.

If people don't update their home router passwords or even update the
software, how are they going to do it for the 50+ (give or take) appliances they
have in their home? Heck, some people have difficulty setting the auto-brew
start time for the coffee pot, can you imagine the conversations in the future?
'What's the toaster's password? I need to change the bagel setting!'
Or 'Oh no! Overnight a hacker replaced my fine Kona blend with some decaf
tea!' Come on. Play along! I know you got one you just want to blurt
out!

I understand this is where our society/technology/lives are going and I
really like the ability to see home security cameras over the internet but part
of me feels, is it really necessary to have my fridge, toaster, blender and toilet
connected to the internet? Maybe the fridge alerts you when something buried in
back is molding. I partially get the thermostats and smart energy things but I
can currently program my thermostat for temperature adjustments without an
internet connection. I push a few buttons and done. Plus I don't have to worry
about someone firing up my furnace in the middle of July.

We have multiple locks on our doors, alarm systems for our dwellings,
security cameras for our perimeter, dogs under the roof and weapons ready yet
none of that will matter if the digital locks for our 'things' are made of
dumpling dough. Speaking of dumplings, the smart-steamer just texted me with a
link to see the live feed of the dim sum cooking - from inside the pot!